Can Penetration Testing be considered as a part of an exhaustive Vulnerability Management program?
P.S: I realise the difference between penetration testing and vulnerability assessment. But I want to know if both fall within Vulnerability Management umbrella ?

3 Answers
3

Absolutely. Penetration testing can be considered a key part of both vulnerability management and vulnerability assessments. Penetration testing is quite different to vulnerability scanning although vulnerability scanning may be one of the initial tasks performed in a penetration test to identify obvious issues in the environment.

Penetration testing within a vulnerability management program should be done when obvious issues have been addressed so the environment is subjected to a real life attack scenario. It is only at this point that the defences in place can truly be measured.

When you are assessing your risk in your vulnerability management program, there are two factors to your risk equation. Vulnerability assessments provide the factor that gives you the exploit vector and its potential risk value to your organization. But the actual risk value has to be address in situ of the environment it will be exploited to know how truly badly it is for your specific scenario. Exploitation analysis (penetration testing) provides that real risk value and illuminates the primary, secondary and tertiary risks that vulnerability assessments can not illuminate from the portal risk identified in vulnerability assessment.

So as an example, I know in my house I have windows and they are a vulnerability - because basically any idiot criminal can bypass a window (even with decent window alarm detection, btw). And I may think I am "safe" because I have this nice jewelers grade safe I keep my jewels in. However, when I hire someone to exploit my windows, and break in - I may find my significant other who I need (in case of emergencies) to get into that safe, has written down the safe combination and taped them to her desk in the office, right next to one of the windows. Now, in my vulnerability assessment, windows might have been rated as low to medium in my risk assessment since it is a well known vulnerability. However, not until my exploitation analysis do I find I have a MAJOR risk because of the lack of protocols in handling the combination to my safe.

Vulnerability scanners have a high incidence of false positives and proving out a vulnerability often involves exploiting it.

If you mean red teaming your environment, it's a good way to test your teams response to active threats. It also gives a good picture of actual threat vs the environment rather than evaluating a risk by itself without context.

Not to downplay it as part of a well rounded risk management program, it is important, but it is more of an awareness lever for upper management than it is for those working on the technology. A well motivated and funded (and security minded) infrastructure management team can do much more for you in 99% of cases than a report that says what they've been telling you all along will do for their morale.